New Mac OS X malware variant spotted

New Mac OS X malware variant spotted

Summary: According to Intego's security memo, OSX/HellRTS.D is being distributed on a number of forums shows that it will be accessible to a large number of malicious users who may attempt to use it to attack Macs.


Intego is reporting on a newly discovered variant of a Mac OS X malware first detected in 2004.

According to the company, the source code of the OSX/HellRTS.D is already being distributed across multiple forums, which could potentially allow malicious attackers to create new variants of it.

More details on the malware:

  • It sets up its own server and configures a server port and password
  • It duplicates itself, using the names of different applications, adding the new version to a user’s login items, to ensure that it starts up at login. (These different names can make it hard to detect, not only in login items, but also in Activity Monitor.)
  • It can send e-mail with its own mail server, contact a remote server, and provide direct access to an infected Mac
  • It can also perform a number of operations such as providing remote screen-sharing access, shutting down or restarting a Mac, accessing an infected Mac’s clipboard, and much more

According to the brief security memo, OSX/HellRTS.D "is being distributed on a number of forums shows that it will be accessible to a large number of malicious users who may attempt to use it to attack Macs."

A similar leak of source code took place in November, 2009, when the source code for ikee iPhone worm became publicly available. The leak, however, didn't result in any new worm modifications back then.

The company has rated the malware as low risk due to the fact that they are unaware of any infected Macs so far.

However, this rating shouldn't apply to you overall situational awareness (See: How To Disable "Open Safe Files After Downloading" Feature In Safari) on the fact that Mac OS X malware is no longer an urban legend, but a fully realistic event with Apple Inc. publicly admitting that "no system can be 100 percent immune from every threat".

Topics: Security, Apple, Hardware, Malware, Operating Systems, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cue the neverending crapfest..

    In fact I'll sum it up for you...

    "This shows all the Appletards that OSX CAN get viruses!" - WinTard

    "No idiot apple Shill, it's a malicious file, not a virus in the wild, Macs don't get viruses!" - AppleTard

    "This wouldn't happen with Open-Source because all the code is transparent" - Linux Tard
    • Wow, one item this year!

      Sure makes me feel unsafe, not! Are you related to Homer, Doh!
      • Oh my!

        Makes me want to get rid of all my Macs and run out and get one of those
        there Winders computers. How many viruses and pieces of malware on them
        Winders machines? I take take it a lot less then them Apple puters. I trust
        Steve Ballmer, he would never allow such a thing on one of them Dell's or
        whatever brand to be vulnerable to such a thing. That would be unethical.
        Besides, who would trust a system from that dag hippy running Apple.
      • ....

        [i]Wow, one item this year! Sure makes me feel unsafe, not![/i]

        You're absolutely right... there's nothing to worry about. OS X is the most secure OS on the planet... or not...,10205.html
      • As a viral writer, why would you bother??

        Targeting Windows (note malware almost needs to target specific variants these days), you hit a multitude of schools, businesses, general users, etc.

        Target Linux and you hit a multitude of Servers, businesses looking for less cost and more control, or a user-pool well equipped to fight back.

        Target Macs and you aim at a few Ad agencies, Magazines and a user-pool of Gen-Y'ers prattling on about how pretty their toys look (that's when you can pry them away from the mirror!). Let's face it; even if a TEAM of skilled malware writers got together and wrote a sophisticated code targeted at Macs, the majority of the users would be too distracted by their own reflection in the blank screens to even notice!!

        It wouldn't be worth the effort!
        • You're completely right.

          There couldn't be any financial gain in hacking the largest bank in the entire

          And nobody would be curious in hacking the largest particle accelerator in the
          world, or NASA's satellites. No no no.

          And definitely not the top 10 supercomputers in the world. What fun would that

          It's obviously much more fun and profitable to hack Joe Sixpack's Dell so you
          can steal the free porn he downloaded on Kazaa.

          That logic totally makes sense, yep.
    • Yep.. That's about it... except

      ... on here they're called Mactards and Lintards.

      But... Yeah.. that's pretty much right on the money. And somehow I think the Mac guy would likely say something more along the lines of "No, idiot Windoze (or M$) shill..." Somehow I doubt they'd be insulting their own. They'd also add something to the effect of "Show me ONE infection anywhere in the wild!" and eventually close their specious argument with "Nothing to see here, no worries!" or some variation of that.

      The Lintard bit - that's classic Dietrich...! Spot on!
      • Never heard that one before. Did you mean "Freetard"?

        [b] [/b]
    • Hey, I never said that, but perhaps some other WinTard did? {nt}

    • RE:Cue the neverending crapfest..

      58 comments thus far and none by a "lintard"! Curious, no?
  • RE: New Mac OS X malware variant spotted

    but... but... but... OSX is immune to viruses and malware!

    /sarcasm off
  • Just once, just once I wish Dancho Danchev would

    tell his readers just what steps an OSX user would have to
    go thru in order for his system to be infected by a
    particular malware code - in this case, the OSXHellRTS.D

    Its one thing to report that a particular software code is a
    virus or trojan or whatever. Its another matter to report
    how it is propagated.

    If this worm is classified as "low risk" than why is it "low
    risk". If the answer is that no known OSX systems have
    been infected so far than the most important question to
    ask (or have answered) is why not? What prevents an OSX
    system from being infected by this worm? Or easily
    infected by this worm.

    These are questions I wish Dancho would answer .. Just
    • Isn't it obvious?

      It's probably got something to do with buying software off the company
      that is reporting this malware, I'm sure they offer a solution.

      Not downloading cracked and pirated software would be a good start.
    • You'd have to go to a VX forum, sign up, convince someone to send you the..

      ..source, compile it, mark it as executable, run it, and type in your root admin password.

      As opposed to the recent flaws in IE where simply browsing the web = pwnt.
      • It's a worm, and it configures itself to run at login...

        So that pretty much kills your entire argument.
        • No, not really. I was letting him know how he can get it, not what it does

          once he gets it.
          • Well then..

            you have a lack of understanding of what a worm is then.

            And much like Windows worms, only those that surf shady sites, and accept unknown files from others are really at risk.

            This notion that one must compile the worm themselves is completely false, as a worm spreads itself by definition. If it doesn't, then it is not a worm.
          • Again, no. It's apparent that you do, though.

            You're thinking of trojans.

            Back on topic; seeing as how the malware mentioned in the article isn't known
            to exist anywhere except as source code, it's going to be tricky infecting
            yourself with it without first compiling it.
          • Trojans don't spread themselves...

            trojans are only backdoor programs. The trojan is usually downloaded by a worm or virus.

            Your only digging yourself deeper here... give up while your not to far behind.
          • @ShadowGIATL If you need to download and run it, it isn't running itself.

            [b] [/b]